How to Stop WordPress Comment Spam: 4 Effective Strategies

Comment spam is a common issue that WordPress site owners face. It happens when unwanted or fake comments flood your website, often posted by bots or people promoting links, products, or harmful content. These spammy comments can mess up your site, slow it down, and even harm your search engine ranking. What’s worse, they can damage your credibility if visitors see irrelevant or offensive comments frequently.

To keep your website safe, fast, and professional, it’s crucial to stop spam comments. A clean and well-maintained comment section encourages meaningful engagement, allowing visitors to interact with your content without distractions. This improves the user experience and helps your WordPress website maintain a strong reputation.

This tutorial shows you 4 effective ways to stop WordPress comment spam. We’ll discuss using WordPress’s built-in features, implementing reCAPTCHA, using plugins, and even employing advanced tools like a web application firewall (WAF).

KEY TAKEAWAYS

• Use WordPress’s built-in tools to block spam easily.
• Restrict the number of links allowed in comments to reduce spammy content.
• Enable reCAPTCHA on your comment forms to stop bots while keeping it simple for real users.
• Install anti-spam plugins for automated spam protection.
• Use a Web Application Firewall (WAF) like Cloudflare or Sucuri to block harmful traffic before it reaches your site.
• Regularly review and update your comment settings to stay ahead of new spam tactics.
• Disable comments entirely on posts or pages where they aren’t required.
• Combine multiple strategies for the best protection against comment spam while keeping your site user-friendly.

Use Built-in Features to Prevent WordPress Comment Spam

WordPress is a widespread content management system offering several built-in features that help you remove spam comments effectively without needing extra tools. You can restrict comments to registered users, enable manual moderation, and create a disallowed word list to filter inappropriate content.

In addition, limiting links in comments or even disabling comments entirely can further protect your site against spam. These features are easy to set up directly from your WordPress admin dashboard. Let’s dive in and learn how to do it.

Allow Comments from Registered Users

Restricting comments to registered and logged-in users is a great way to filter out unwanted spam. This setting ensures that only people with an account on your site can leave comments. Spam bots and anonymous spammers are less likely to go through the effort of registering, which helps keep a comment section cleaner.

To enable this option:

Log in to your WordPress dashboard. Go to Settings → Discussion. Mark the box next to Users must be registered and logged in to comment and save your changes.

Here, you may also close comments on your old posts. This is important as older posts often attract more spam. Spammers target the website owner’s content when it’s less monitored or no longer actively engaged. Over time, these posts can become a hotspot for unwanted and irrelevant comments, cluttering your site and increasing the risk of spam-related issues.

To do this, mark Automatically close comments on old posts and choose how many days after which comments should be disabled – then WordPress will handle the rest. This simple step helps maintain a cleaner, more professional website while reducing the workload of moderating older posts.

Enable Comment Moderation

Comment moderation is a powerful way to stop spam from appearing on your WordPress website. With this feature, every comment must be manually approved before it goes live. This lets you review each comment and ensure only meaningful and appropriate ones are published. It’s an easy step that adds extra control and security to your site.

To enable comment moderation in WordPress:

Go to WordPress Dashboard → Settings → Discussion. Scroll to Before a comment appears. Check the box for Comment must be manually approved. After that, scroll down to the bottom and click Save Changes.

When this setting is active you receive a notification for every new comment. You can then approve, delete, or mark it as spam directly from your dashboard.

Create a List of Disallowed Words

An effective way to prevent WordPress comment spam on your site is by using Comment Moderation and Disallowed Comment Keys. These features allow you to flag or block comments containing specific words, phrases, or links, keeping your comment section clean and professional.

You can filter out spammy links, offensive language, or repetitive keywords by creating a list of disallowed words. Comments with flagged terms are either held for moderation or rejected outright, helping you maintain a relevant and spam-free discussion space on your site.

How to Use Comment Moderation

Comment moderation allows you to review specific comments before they appear on your WordPress website. Here’s how to set it up:

Navigate to WordPress Dashboard → Settings → Discussion. Find Comment Moderation. Enter phrases or words you want to flag and manually review in the provided text area. For instance, add terms like “buy now”, “promo link”, or any spam-related keywords.

You can also provide a number asking WordPress to hold a comment in the moderation queue if it comprises x or more links. Then, navigate downward and click Save Changes.

When a comment contains any of these words, it won’t appear on your site right away. Instead, it will be held for your approval, giving you control over what gets published.

How to Use Disallowed Comment Keys

The Disallowed Comment Keys feature goes one step further; it blocks comments outright if they include certain flagged terms. Follow these steps to configure it:

Go to WordPress Dashboard → Settings → Discussion. Scroll down to Disallowed Comment Keys. Add one word, phrase, or IP address per line in the provided text box. Examples may include “free money”, or “click here”. Now, go further down and click Save Changes.

Comments containing these keys will be automatically rejected, reducing time spent moderating spam.

TIP: Combining Comment Moderation and Disallowed Comment Keys features ensures your comment section stays relevant and engaging and minimizes distractions and risks caused by WordPress comment spam.

Disable Comments Entirely

If WordPress spam comments become too overwhelming or your website doesn’t need a comment section, you can disable comments entirely. Turning off comments on posts and pages ensures no one can leave comments, eliminating spam. Here’s how to disable comments in WordPress:

Head over to WordPress Dashboard → Settings → Discussion. Under Default post settings, uncheck the checkbox that says Allow people to submit comments on new posts. Then, scroll down and click Save Changes.

This will stop comments on all new posts and pages. To disable comments on existing posts or pages:

Go to Posts → All Posts (or Pages → All Pages). Select the posts or pages you wish to update. Choose Edit from the bulk actions and click Apply.

Now, set the Comments option to Do not allow and click Update to save changes.

However, if you wish to close comments on an existing individual post or page, open that post or page in the editor. On the right side, change Open to Close for the Discussion option. Alternatively, uncheck Enable pingbacks & trackbacks.

This is particularly important if you’re experiencing WordPress comment spam or don’t actively use these features to engage with other blogs. Spammers exploit trackbacks and pingbacks to generate backlinks to their low-quality websites by sending fake trackbacks or using bots to flood your comments with harmful links.

These tactics damage your comments section and harm your SEO by associating your site with spammy content. So, disabling trackbacks and pingbacks is a simple way to prevent this. You can also disable them using WordPress Discussion settings.

Implement reCAPTCHA to Prevent WordPress Comment Spam

reCAPTCHA is a powerful tool that helps block spam by distinguishing between real users and bots. It asks users to complete simple challenges, like clicking a checkbox or selecting images, which bots can’t do effectively. Adding reCAPTCHA to your WordPress comment form is a smart way to reduce spam without stopping genuine comments.

Here’s how to integrate reCAPTCHA into your WordPress website:

Manually Adding reCAPTCHA

Step 1: Obtain Google reCAPTCHA Keys

Go to the Google reCAPTCHA website. Click v3 Admin Console and sign in with your Google account.

Now, register your site. To do this:

1. Enter a label to identify your website.
2. Choose the reCAPTCHA version you want.
3. Add your domain name under Domains. Don’t include any protocol, path, port, query, or fragment.
4. Write the project name for the Google Cloud Platform (GCP).
5. Accept the reCAPTCHA Terms of Service.
6. Click Submit to generate your site key and secret key.

Next, copy your site key and secret key.

Step 2: Add reCAPTCHA to the Comment Form

To add reCAPTCHA, sign in to your WordPress Admin Dashboard. Install and activate a plugin to add custom code snippets (e.g., Code Snippets plugin) or edit your theme’s functions.php file.

For this tutorial example, we edit the functions.php file. If you choose to do the same, always use a child theme to ensure your changes are not overwritten during theme updates. Additionally, avoid potential data loss – backup your site before making any modifications.

Then, open your theme’s functions.php file via the WordPress Theme File Editor or an FTP client (FileZilla). Add the following code to display reCAPTCHA:

function astra_add_recaptcha_to_comment_form() {
    echo '<div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>';
}
add_action('comment_form', 'astra_add_recaptcha_to_comment_form');

Replace YOUR_SITE_KEY with the site key you generated after registering your site in Google reCAPTCHA.

Step 3: Verify reCAPTCHA Submission

To validate reCAPTCHA responses, ensure the comment is processed only if reCAPTCHA verification succeeds. To do that, add the following code to the same functions.php file:

function astra_verify_recaptcha($commentdata) {
    $recaptcha_response = isset($_POST['g-recaptcha-response']) ? $_POST['g-recaptcha-response'] : '';
    $secret_key = 'YOUR_SECRET_KEY';
    $remote_ip = $_SERVER['REMOTE_ADDR'];

    $response = wp_remote_get("https://www.google.com/recaptcha/api/siteverify?secret=$secret_key&response=$recaptcha_response&remoteip=$remote_ip");
    $response_body = wp_remote_retrieve_body($response);
    $result = json_decode($response_body);

    if (!$result->success) {
        wp_die('Error: reCAPTCHA verification failed. Please go back and try again.');
    }
    return $commentdata;
}
add_filter('preprocess_comment', 'astra_verify_recaptcha');

Replace YOUR_SECRET_KEY with the secret key that you copied earlier.

Step 4: Enqueue Google reCAPTCHA Script

To make the reCAPTCHA widget functional, include the required JavaScript library in the functions.php file:

function astra_enqueue_recaptcha_script() {
    wp_enqueue_script('google-recaptcha', 'https://www.google.com/recaptcha/api.js');
}
add_action('wp_enqueue_scripts', 'astra_enqueue_recaptcha_script');

Now, click Update File to save the modifications.

Step 5: Test Comment Form

Open a post on your website. Scroll down to the comment form and confirm that the reCAPTCHA widget appears (you can adjust the reCAPTCHA widget’s position). Then, submit a comment to test whether reCAPTCHA successfully verifies the response. If the verification fails, you’ll see an error message. If it passes, the comment will be submitted.

Use a Plugin

Install and activate the reCaptcha by BestWebSoft plugin. Once activated, go to reCaptcha → Settings in your WordPress dashboard. Under General settings, choose the reCaptcha version.

Enter your site key and secret key. We showed you how to get these keys in the previous solution.

Then, select the locations where you want to Enable reCaptcha.

Optionally, you can hide reCAPTCHA for specific WordPress user roles. For instance, in our example, we hide reCAPTCHA for website administrators. Lastly, click Save Changes.

Now, reCAPTCHA will start protecting your site from WordPress comment spam.

If reCAPTCHA failed, you’ll see the following error:

Use Anti-Spam Plugin to Stop WordPress Comment Spam

If you’re wondering how to stop spam comments on WordPress without registering on the Google reCAPTCHA site, use anti-spam plugins. WordPress offers several plugins that help you block, filter, or disable spam comments with minimal effort. Two of the most popular options are Akismet Spam Protection and Disable Comments. Here’s how to set these up to prevent WordPress comment spam:

Use Akismet Spam Protection Plugin

Akismet spam protection is free for personal and non-commercial use and is a reliable anti-spam plugin developed by Automattic, the team behind WordPress. This plugin works by automatically scanning all submitted comments and filtering out the ones that appear as spam. 

One of Akismet’s key features is its ability to highlight URLs within comments, helping you detect hidden or misleading links that spammers often use. This ensures that only legitimate comments are displayed on your site.

Additionally, moderators can see the number of approved comments from each user, making it easier to manage genuine comments and save time during moderation. Here’s how to use Akismet to keep your comments section clean:

First, go to Plugins → Add New Plugin to install and activate the Akismet plugin. After activation, go to Settings → Akismet Anti-spam in your dashboard. Remember, if you’ve installed the Jetpack plugin, you’ll see the Akismet menu under Jetpack →  Akismet Anti-spam.

The Akismet plugin will require an API key, which acts as your unique identifier, enabling Akismet to work seamlessly on your WordPress site. If you already have an API key, click Manually enter an API key and input your key. If you don’t have an API key, click Choose an Akismet plan.

Next, choose a subscription plan based on your needs. Akismet offers a free plan for personal use and paid ones for business and high-traffic websites. For personal use, click Get Personal.

After that, set the price slider to $0, verify non-commercial usage, and click Continue with personal subscription.

Then fill out the account setup form with the necessary information and verify your email address. Akismet will send your API key via email and directly on the website. Copy this key.

Return to the WordPress Dashboard. Go to Plugins → Installed Plugins, find Akismet, and click Settings.

Click Manually enter an API key option, enter your Akismet API key in the provided field, and click Connect with API key.

You’ll be redirected to the Akismet settings page. Scroll down to Settings and adjust the following:

• Comments: Display the number of approved comments next to each comment author. 
• Spam Filtering: Choose to automatically discard the most severe spam or send all flagged comments to the Spam folder for manual review. 
• Privacy: Decide whether to show a privacy notice below your comment forms, informing users that Akismet is in use. 

Lastly, click Save Changes to apply your settings. The plugin will not start protecting your site immediately.

Important:

If you’re using Akismet to prevent spam in a contact form, ensure the form is compatible with Akismet and properly configured.

Use Disable Comments Plugin

As mentioned, you can disable comments using the built-in WordPress feature on the Discussion settings page. However, this method doesn’t remove the comments section from posts that have already been published. To completely disable comments across all posts, use the Disable Comments WordPress plugin as follows:

First, install and activate this plugin. Then, go to Settings → Disable Comments. Choose Everywhere: Disable comments globally on your entire website to disable comments everywhere on your website. Don’t forget to save your changes.

This plugin lets you turn off comments on specific posts, pages, or even individual media files. This flexibility makes it perfect for users who want to minimize maintenance or prevent spam by removing the comments feature.

Use Web Application Firewall to Stop WordPress Comment Spam

A Web Application Firewall (WAF) is a powerful tool designed to protect websites by monitoring and filtering HTTP traffic between your website and the internet.

It is a security shield that prevents malicious bots and proxies from reaching your WordPress site. Cloudflare and Sucuri are popular WAF providers that help protect your site by analyzing traffic patterns and blocking suspicious activities.

Automated bots generate spam comments targeting WordPress sites with irrelevant or harmful content. These bots typically exhibit suspicious behavior like high request rates or accessing multiple pages one after the other.

If you use a WAF, you block these bots at network level, preventing them from accessing your comment section altogether. This significantly minimizes the number of spam comments on your site and helps maintain a professional appearance.

Implementing a WAF also brings additional benefits beyond preventing WordPress comment spam. It enhances website security by filtering out harmful traffic that could lead to cyberattacks.

Additionally, by blocking unwanted traffic, a WAF reduces the load on your server, improving your site’s performance and speed. With fewer spam comments getting through to your moderation queue, you can focus on engaging with genuine visitors instead of dealing with irrelevant or malicious content.

FAQS

Other Related Tutorials:

– How To Disable Comments On WordPress: A Step-By-Step Guide

– WordPress Widgets: How To Add & Use Them For Maximum Impact

– xmlrpc.php In WordPress: What It Is And Why Disable It

– How To Configure WordPress Error Logs: Identify & Fix Issues

– How to Reinstall WordPress: Troubleshooting Guide